Sec Chronicles

API kitchen: The recipe for API testing and hacking using OWASP top 10.

Guide to testing API vulnerabilities using OWASP Top 10

Timothy Akande's photo
Timothy Akande
·

6 min read

API kitchen: The recipe for API testing and hacking using OWASP top 10.

Table of contents

Introduction

An API is a set of rules that act as an intermediary between two applications, the API makes it easy for the applications to communicate with each other using a request and response. The API makes it easy for organizations to build ready-to-ship interfaces that any can build on.

APIs are like wait staff of the internet, they carry the order from your device to the kitchen where the data is prepared, and then deliver the data right back to you.

APIs are fundamental to how modern software communicates, APIs have become a critical part of software development today as it makes it easy to collaborate and build solutions.

Based on how API has become popular in software development and among developers, therefore that has made it a major focus point to test to ensure there is no compromising vulnerability in the API.

In developing a solution such as an application multiple APIs can be connected to make the application work well, this however makes it difficult for developers to manage each endpoint well.

Difference between Traditional Web Apps and the use of API

The way the API processes information is different from how the traditional web application processes information.

In a traditional web app, the request sent to the server is expected to be in a specific way this makes it a bit easy to identify an abnormal request such as XSS (cross-site script) being sent to the server, unlike the API request the request format can change base on what solution is being built. Also, the traditional web app is majorly accessed through a browser but an API endpoint can be accessed using a different interface such as fetching it with a programming language or using Postman to access the API endpoint.

An image describing the differnece between Traditonnal web app and API interactons

APIs are the secret sauce that connects different systems allowing them to share data and functionality. Therefore, it means that an API endpoint must be well-tested to ensure that it is well-secure, and not vulnerable to attacks.

What is the OWASP top 10 for API

The OWASP (Open Web Application Security Project) is an organized open-source body that works at improving the security of software. The organization curated a set of lists that speaks to the major attacks and vulnerabilities to watch out for in web applications, APIs and so on.

The OWASP Top 10 is well-known when it comes to web application testing, it has become a major go-to list when performing web application testing, the OWASP also released a list for API testing. It is a list that highlights the common vulnerabilities that affect software such as web applications, APIs, and so on.

This article will go into explaining the OWASP Top 10 for API list, and also how to test the list of vulnerabilities against an API endpoint.

OWASP Top 10 for API

  1. Broken Object Level Authorization (BOLA)

  2. Broken Authentication

  3. Broken Object Property Level Authorization

  4. Unrestricted Resource Consumption

  5. Broken Function Level Authorization

  6. Unrestricted Access to Sensitive Business flows

  7. Server-side request forgery

  8. Security Misconfiguration

  9. Improper Inventory Management

  10. Unsafe Consumption of APIs.

We will take time to look at each vulnerability one after the other, how they occur, how to test it and how to solve the issue in this article and subsequent articles.

Tools needed to perform API Testing.

the tools required to carry out API testing include:

  1. Postman (postman.com)

  2. Burpsuite Community or Professional (Burpsuite)

  3. OWASP Zap

Prerequisites for API testing:

There are not many requirements as to who can test an application, but the basic requirement for the tester is that he must be familiar with web technologies and how API works. The person should know what a request and response body looks like.

He should be able to use Postman to connect to an API endpoint, he should also be able to use Burpsuite to intercept requests and responses sent between the Application and the API endpoint.

Broken Object Level Authorization (BOLA)

Broken Object Level Authorization is the number one of the vulnerabilities that plague API endpoints.

BOLA attack usually occurs when an attacker is able to send a request to a Server/endpoint for a data object that should not be allowed or should be restricted.

The data object is a location of storage that consists of a collection of attributes or groups of values that act as an aspect, or characteristic of the object. a collection of related data is called an object.

The BOLA vulnerabilities have led to numerous successful attacks in the past because an attacker can through a BOLA attack have access to privileged accounts such as Admin privilege on a server.

BOLA is like using a broken strainer in a kitchen, it allows unwanted ingredients to pass through. That is, a BOLA attack allows unwanted access/bits to pass through. The attack occurs when an attacker gains unauthorized access to a sensitive resource by manipulating the object IDs with an API request.

an example of an API request body

Easy way to find a BOLA vulnerability in an API endpoint.

Disclaimer: This is to help to be able to spot the vulnerability so that it can be fixed and not exploited, this is for educational purposes only

  1. Identify the endpoints: this is a major as you don't want to test an endpoint you are not authorized to test, this is also to know the endpoint that handles the retrieval of resources.

  2. Modify the request sent to the endpoint - majorly by manipulating the IDs attached to the request

  3. Examine the response to each manipulation to see what changes, things like the response code (200, 400, 404 etc), and the body of the response.

  4. Test the API endpoint with multiple users, for example, manipulating the user ID can lead to getting access to another user's resources or data which should not be allowed. This can also be done by manipulating group IDs if there is a group account.

A successful attack will result in the fact that an attacker will have access to the resources that should be restricted.

How to Fix Broken Object Level Authorization (BOLA)

The BOLA vulnerability can seem to be difficult to fix because it usually occurs as a result of overlooked mechanisms in the design and implementation of the Application, but it is not impossible.

Security must be considered right from the design of the application, this will help to factor in every API endpoint used, how it is handling authorization and how to secure it as well.

A way to fix the vulnerability is to perform a thorough test of the API endpoint to ensure the authorization is well implemented.

Conclusion

The usage of API will keep increasing as the need to build solutions that are compact and easy for others to build is increasing, that means it is important to know how to carry out tests and ensure that the application is carrying out authorization effectively.

Reference:

API Kitchen - API Kitchen explained

hackingAPIsAPI TESTINGOWASP TOP 10#cybersecurity